feat: implement PAT token encryption at rest#2
Open
BrawlerXull wants to merge 1 commit into
Open
Conversation
Encrypt agent GitHub PAT tokens using AES-256-GCM encryption, matching the existing pattern used for cloud credentials. PAT is now sealed in storage and only decrypted when needed for GitHub operations. Changes: - Add Agent.PATSealed field (encrypted via FLOW_SECRET_KEY) - Add Agent.GetPAT() / SetPAT() methods with backward compatibility for plaintext PAT (agents created before this change) - Update all PAT access points to use GetPAT() - Update all PAT write points to use SetPAT() - API handlers (test-auth, install-webhook) now decrypt on-demand - Build executor: decrypt PAT before passing to clone/registry-auth - Promote executor: decrypt PAT before GitHub operations - SAST executor: decrypt PAT before cloning - Fix Dockerfile Go version: 1.24 → 1.25 (go.mod requirement) Backward compatibility: - Agents with plaintext PAT (pre-encryption) still work - GetPAT() falls back to plaintext field if PATSealed is empty - No database migration required Testing: - All encryption/decryption operations tested - Docker build passes - Code compiles without errors
BrawlerXull
force-pushed
the
feat/encrypt-pat-tokens
branch
from
e7fdb80 to
90a9a48
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Encrypt agent GitHub PAT tokens using AES-256-GCM encryption, matching the existing pattern used for cloud credentials. PAT is now sealed in storage and only decrypted when needed for GitHub operations.
Changes:
Backward compatibility:
Testing:
Fixes: #3